Implementing shared libraries

I have waht I think is a pretty basic question but I'm hoping I can get some details answers.

I'm running various Unix servers, including some FreeBSD implementations (3.4 version so this would mainly apply to FreeBSD but I assume it's generally the same for other Unix variants but please let me know if it isn't).

The utilities that come with Unix, such as bind, popper, ftpd, apache, sendmail, etc. always are much smaller in size than the later versions I compile and install to update the system.

I'm under the impression that what's going on here, is when I compile a newer version of, say Apache or Sendmail, by default the compilation is stand-alone, and in most cases, it could be compiled with some sort of shared library option which would dramatically reduce the size and memory overhead of the software? In the case of Apache, where you might have 100+ daemons spawned, I've been told that if I recompiled the program to share memory/libs that it would be much more memory efficient. How can I do this?

Specifically here are my questions:

1. Is there a special module or set of libraries that must be installed to implement this? Does it vary by OS/version? Where can I get this code if I don't have it already?

2. I'd like detailed instructions on how to compile the following programs to use these shared libraries: bind, ftpd/wuftp, popper, apache, sendmail, etc.

I'm assuming maybe it's a single extra compilation/linking command parameter? Is it true that by default none of these systems compile in this manner?

Any additional thoughts or comments on what I'm trying to do? It's frustrating to replace a 300k 2.0 version with a 4320k 2.1 version of a program...

Whether an application is built against dynamic libraries or static libraries has everything to do with the link process. In general the configure process for most things will pick dynamic libs over a static link option unless forced to do otherwise or unless it thinks that dynamic libs won't work on some particular system. It's been an awful long time since I've used FreeBSD 3.4, but I don't think I've ever had a problem building Apache or Bind with dynamic libs on 4.0 or later.

Are you building your utilities directly from source or via the ports collection?

It's easy to tell if something is dynamically linked or not. Just run ldd or file on the executable, i.e., 'ldd /usr/sbin/sendmail' or 'file /usr/sbin/sendmail'. Also be careful when comparing file sizes. For example, on a stock FreeBSD 4.4 system:

Okay all of those are linked against dynamic libs. The size of Bind 9 sounds a bit on the big side compared to my copy on 4.4. I've got a system copy of Bind 8 that's 500Kb and a local version of Bind 9 that's 1.6Mb. That sounds about right to to since there's lots of stuff in Bind 9, like the crypto stuff for rndc & dynamic updates, that isn't in Bind 8. Your 8Mb copy sounds a bit on the large side, but I'd have to examine how it was built to determine if that's reasonable for a 3.4 system. It's possible that my 4.4 system has later versions of some routines in system libraries that Bind 9 requires. That could cause the activation of code from the Bind distribution to be built into your executable.

My sendmail copy has lots of other libraries included as it includes support for tcpwrappers, SSL encryption, and SASL authentication. Incidentally, that copy was built from the FreeBSD 4.4 sources by a tweak to the build options used by make world.

Are you speaking of using an encrypted POP connection? Part of that involves what the clients support. I'm a big fan of the Cyrus IMAP implementation, which includes POP, IMAPS and POPS support (the later are SSL encrypted connections).

The only disadvantage of the Cyrus implementation is that it works best when using SASL authentication rather than traditional Unix authentication. For my uses that's an advantage as I don't want ordinary users to have any access to my mail servers other than through IMAP or POP. By keeing their authentication tokens (username & password) in a SASL database rather than in passwd there's no way for a mail client user to break into the server or abuse their account because they don't have Unix accounts. Well there's always the risk of a root exploit if you don't keep the system up to date w/respect to security advisories, by I have less to worry about if my mail server only has a root account and the accounts for a couple of trusted admins.

Other advantages of Cyrus lie in it's handling of user INBOX's and its ability to apply mail quotas in a manner that is 'mail safe'. You can read more about Cyrus at http://asg.web.cmu.edu/

To check what may cause the reason why some libs are linked static, while others are linked dynamic, check the result of the configure command: its output and generated files like config.status (sorry swapped out of mind how this can be checked with FreeBSD's ports).
There you should find why configure decided to use static vs. dynamic, or even it's own lib.

Jlevie, I think you earned the points but since we have such a cool thread going, let me ask you a tad about popper and what you think...

I am using Eudora (5.1) which supports a number of encryption mail checking options, which is why I installed Qualcomm's popper, but I can't seem to get any ssl or other encryption to work even though I have tons of crypt/ssl/openssl libs installed on my system (running apache w/mod_ssl with no troubles but could never get qpopper to use it - and qpopper is huge compared to the os's default pop3 client which is one reason that prompted me to investigate the whole shared lib issue).

I'll have to confess that it's been over 5 years since I last messed with Qualcomm's POP server. There wasn;t any SSL stuff in that version and I would have had no reason to use it then even if it had been available.

How far do you get in trying to enable SSL in popper? Will it build with the libs from a recent OpenSSL distribution? Or are you having problems with generating and/or using a certificate (assuming that you're using a self-signed certificate)?

I really don't know - I just made the version that was included. Admittedly I'm really ticked off at how unnecessarily complicated the SSL/CA stuff is. I know it does not need to be so complicated and I find it annoying. Don't even get me started about the early days of integrating certs into Apache, which was a nightmare.

So basically I don't know. All I know is I'd like to use ANY pop3 server that has some kind of encryption.. I'm open to ideas.

You have my sympathies with respect to certificates. And I felt the same way until I did enough research to more fully understand certificates and certificate authorities. Now that I understand it a bit better I'm not so sure that the process could be simplified and still meet the requirements. And yes the early days of certificates, before OpenSSL, was a royal pain. Especially since all of the certificates had to be obtained from a commercial vendor and they weren't wild about supporting anything but a Netscape or other commercial server.

Creating a local certificate authority and a self signed certificate can be made a lot easier with one of the script packages floating around on the Internet. I was less than thrilled with the way they worked so I wrote a perl script for creating self-signed certificates.

Setting up an email system for encrypted connections is a non-trivial task. Not only do you have the problem of making sure that the server (POP and SMTP) and the client share a common method, but you also need to generate a client side certificate and incorporate that into the client. None of this is documented very well and that's not so surprising considering the multitude of clients. If I were going to do an encrypted mail system I'd use the Cyrus implementation. There's a mailing list for Cyrus that is a very good resource if you run into problems.

On the client side, in Eudora for example, you can simply select the method, such as SSL. Does a certificate still need to be installed on the client side? This isn't necessary with SSL implementation in the browser, so why in email?

Is there a way to tell what support may be integrated into my POP3 servers? Any URL to a page which more-clearly documents this process?

all strip does is remove extraneous info from a binary, be it executable or a plain object. This useless info is normally just the symbols table, but will also include debug info if the file includes it. I've seen on many occasions a 300K binary (especially gnu stuff) strip down to less than 100K. If the code works, why carry loads of crap around with it.

Installing FreeBSD…
FreeBSD is a darling of an operating system. The stability and usability make it a clear choice for servers and desktops (for the cunning). Savvy? The Ports collection makes available every popular FOSS application and packag…

FreeBSD on EC2
FreeBSD (https://www.freebsd.org) is a robust Unix-like operating system that has been around for many years. FreeBSD is available on Amazon EC2 through Amazon Machine Images (AMIs) provided by FreeBSD developer and security office…

Learn how to get help with Linux/Unix bash shell commands.
Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…